Issues with DWF Autocad files...

Julian Field MailScanner at ecs.soton.ac.uk
Sun Mar 1 16:49:22 GMT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you have "Find Archives By Content = yes" then it will always apply 
the filename and filetype checks to the contents of attachments which 
are really archives, regardless of the filename.

So you cannot avoid the checks this way, except by setting that switch 
to "no" at which point people can get past your filename traps by just 
zipping the dodgy file and renaming the zip file so it doesn't end in 
".zip".

After all, what's the difference between a file in an archive that is 
really a DWF file generated by Autocad, and a malicious file in an 
archive which the attacker chose to call "pretty.dwf"?

Jules.

On 1/3/09 14:33, Philip Butler wrote:
> Hi all,
>
> I am having an issue with some Autocad (.DWF) files.  It seems that 
> these files are basically a zip type format with some .tmp files 
> within.  I have had one person tell me that the .tmp sub-files are 
> font caches or something.
>
> I have tried adding .dwf to the filetype rules to allow, but MS still 
> unzips and finds the .tmp files.  I can remove the .tmp line from the 
> filename.rules.conf file and MS will then allow the message to pass, 
> but it's obvious that this is not an optimal solution.
>
> Is there a way to unconditionally allow .dwf files and stop scanning 
> within for the filename rules ??  It would be nice if it would still 
> scan for viruses, but to nix the filetype rules.
>
> I have searched the net and MS list archives and haven't found 
> anything that pops out at me.  That's not to say this hasn't been 
> answered before - I just haven't found it.
>
> Thanks,
>
> Phil
>

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Comment: Use PGP or Thunderbird Enigmail to verify this message
Charset: ISO-8859-1

wj8DBQFJqryTEfZZRxQVtlQRAlVlAJ9+o9GPzH/WcPXOdQB/bu4dTaBsawCbBJ+6
MYaluo5oir0Qjk1htUKQDJM=
=8VrL
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list